Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

6.
Secure SDLC – Core BankingPage 6SDLC versus Secure SDLCBusinessRequirementsDesign DevelopmentFunctionalTestingDeploymentBusiness andSecurityRequirementsSecureDesignSecureDevelopmentSecurity &FunctionaltestingSecureDeployment► Typical SDLC does not explicitly include ‘Security’ in it► Secure SDLC has explicit place for ‘Security’ and practices within it

7.
Secure SDLC – Core BankingPage 7Secure SDLCBusiness and Security RequirementsUnderstanding security requirements should be a mandatory exercise of the businessrequirements phase when developing an application. Security requirements in this phaseare:► Application Risk Profiling: Review the Core Banking application portfolio in-terms ofrisk as compared to other applications within Bank. Responses to questions such asbelow will help determining the same:► What are the key business risks and possible technical risks?► Will the application be accessible over Internet► Will the application store personally identifiable information (PII)?► Describe and confirm high level security requirements► What high level data or information needs to be accessed?► What is the context of the application within the current infrastructure?► What application features will have an impact on security?► Determine possible use cases► How will users interact with the application – VPN, Browser etc.?► Will other web services or applications connect with the application?

8.
Secure SDLC – Core BankingPage 8Secure SDLCSecure DesignSecurity MUST begin right from secure design…► Developing Threat Model: Excellent method to determine technical security posture ofproposed application. This can be achieved by:► Decomposing application to determine potential weak spots within application that attackermight want to exploit► Categorizing and rank threats to determine potential threats that can help develop mitigationstrategies► Mitigation for those identified threats such as information security training to developers andprogrammers, programming language specific secure coding trainings etc.► Secure Architecture Design (SAD):► Security architecture framework should be established within Bank that can serve as foundationfor secure design that can be used for multiple application development in-house► Develop Security Test Plans► basis the frequency of testing (Quarterly, monthly), area of tests (Web, APIs etc.,) type of tests(Black or White box)

9.
Secure SDLC – Core BankingPage 9Secure SDLCSecure DevelopmentSecure development is inherent part of developing business logic for core bankingapplications► Program for Developer Awareness and Training:► Common observation that programmers often have very little experience in coding securely► They must undergo adequate training bare essentially for Web application security, languagespecific (.NET, Java) secure coding techniques and custom courses based on code review orapplication tests► Developing Secure Coding Standards, Guidelines and Frameworks for KeyLanguages and Platforms:► Objective is to provide SDLC participants with the proper requirements for securing softwareapplications right from designing stage till deployment► Source Code Review Process:► Control flow analysis in addition to automation of source code review of application must beadopted► To accurately track the sequencing of operations to prevent issues such as un-initializedvariable use or a failure to enable parser validation.

10.
Secure SDLC – Core BankingPage 10Secure SDLCSecurity and Functional TestingSecurity Testing (Vulnerability Assessment, Penetration Testing etc.) should be inherentalong with functional testing of Core Banking applications.► Security Integration with existing test bed:► Most enterprise test environments use automated tools to perform functional, usability and QAtesting► As a matured security testing processes, software testers must be inclined to embraceautomated security tools that link into their existing test beds► Security related regression testing:► Helps in confirming the security view presented by the architecture and development teams► Further it will also present an added level of comfort to internal and external application auditteams► Develop Security Standards for infrastructure supporting the Applications► Develop pre-implementation risk analysis► The combined/overall security of the application should be determined before the applicationgoes live. For e.g., the orchestration of web server farms with multiple operating systems andweb server platforms, the designing of firewall access control lists and assignation of networkports and the integration with application servers can spark off a plethora of innocuous butdangerous vulnerabilities.